From 15f6ec96327d69d19fcce937811214e113341f58 Mon Sep 17 00:00:00 2001 From: Inon S Date: Tue, 29 May 2018 11:07:16 +0300 Subject: [PATCH] LFS: make HTTP auth period configurable (#4035) * LFS: make HTTP auth period configurable * Formatting: Removed semicolon Due to automated fmt-check failure (drone.gitea.io) * applying code reviews * Applied code review comment: Change HTTPAuthExpiry to time.Duration * Updated config cheat sheet --- cmd/serv.go | 2 +- custom/conf/app.ini.sample | 2 ++ .../content/doc/advanced/config-cheat-sheet.en-us.md | 1 + modules/setting/setting.go | 12 ++++++++---- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/cmd/serv.go b/cmd/serv.go index 5d567e6d64..990355be98 100644 --- a/cmd/serv.go +++ b/cmd/serv.go @@ -268,7 +268,7 @@ func runServ(c *cli.Context) error { claims := jwt.MapClaims{ "repo": repo.ID, "op": lfsVerb, - "exp": now.Add(5 * time.Minute).Unix(), + "exp": now.Add(setting.LFS.HTTPAuthExpiry).Unix(), "nbf": now.Unix(), } if user != nil { diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index 184fa8e8cc..ef88e5c327 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -189,6 +189,8 @@ LFS_START_SERVER = false LFS_CONTENT_PATH = data/lfs ; LFS authentication secret, change this yourself LFS_JWT_SECRET = +; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail. +LFS_HTTP_AUTH_EXPIRY = 20m ; Define allowed algorithms and their minimum key length (use -1 to disable a type) [ssh.minimum_key_sizes] diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 69f588ebe8..3f8ebea61f 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -115,6 +115,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`. - `LFS_START_SERVER`: **false**: Enables git-lfs support. - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files. - `LFS_JWT_SECRET`: **\**: LFS authentication secret, change this a unique string. +- `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail. - `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests on another (https) port. - `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true. diff --git a/modules/setting/setting.go b/modules/setting/setting.go index b23a68e3ac..c8add5fd31 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -136,10 +136,11 @@ var ( } LFS struct { - StartServer bool `ini:"LFS_START_SERVER"` - ContentPath string `ini:"LFS_CONTENT_PATH"` - JWTSecretBase64 string `ini:"LFS_JWT_SECRET"` - JWTSecretBytes []byte `ini:"-"` + StartServer bool `ini:"LFS_START_SERVER"` + ContentPath string `ini:"LFS_CONTENT_PATH"` + JWTSecretBase64 string `ini:"LFS_JWT_SECRET"` + JWTSecretBytes []byte `ini:"-"` + HTTPAuthExpiry time.Duration `ini:"LFS_HTTP_AUTH_EXPIRY"` } // Security settings @@ -828,6 +829,9 @@ func NewContext() { LFS.ContentPath = filepath.Join(AppWorkPath, LFS.ContentPath) } + sec = Cfg.Section("LFS") + LFS.HTTPAuthExpiry = sec.Key("LFS_HTTP_AUTH_EXPIRY").MustDuration(20 * time.Minute) + if LFS.StartServer { if err := os.MkdirAll(LFS.ContentPath, 0700); err != nil {